Island Hopping: Growing Threats to the Aviation & Logistics Industry

When we think about the industries that have the most to lose from a serious cyber attack, our minds probably immediately go to the finance, healthcare, and energy sectors. And for good reason – as Carbon Black research shows, 78% of IR professionals say they observe attacks on the financial industry most often, with healthcare right behind it. When we begin to discuss energy and critical infrastructure, there is a strong argument to be made that WW3 will be waged on that front with literally tens of millions of lives hanging in the balance with an advanced widespread attack.

Today I want to shift the focus to the aviation industry – which includes transportation, defence, logistics, and more. An industry that is responsible for roughly 10,000 airplanes and 1,000,000 passengers that populate our skies across the globe at any given moment. Moreover, an industry that has been in the UK headlines of late when British Airways became victim of a very sophisticated, malicious cyber attack, resulting in the personal and financial information of 380,000 customers being stolen by cyber criminals.

What is particularly interesting about this attack is that it is believed that the certificate the hackers used was actually issued on 15th August which indicates they likely had access to the British Airways site before the reported start date of the attack – possibly long before.

The breach illustrates how cyberattacks are becoming more frequent and more sophisticated, as nation state actors and crime syndicates continue to leverage elegant tactics like island hopping, fileless attacks, lateral movement and counter incident response, in an effort to remain undetected.

It’s Not Me, It’s You

Among the bigger problems the aviation industry faces today are not necessarily weaknesses in their own defences – but with island hoppers targeting organisations with less mature security postures along their global supply chain in order to gain access to connected systems. Per the Carbon Black Quarterly Incident Response Threat Report, over a third of today’s attackers are using their victims for precisely this reason. As large enterprises become increasingly secure, we’ll see the use of this attack strategy expand.

“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organisations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert.“
It is absolutely imperative that we stay aware of the fact that the route to exploitation often doesn’t begin with us. These tactics aren’t exclusive to the Russians. Threat Actors from China, Iran, North Korea, etc. are all using this increasingly common strategy in order to infiltrate the target – performing reconnaissance, lateral movement, and counter incident response along the way.

The Case of TNT Express/FedEx

In 2015, FedEx began the acquisition of TNT Express, a UK based shipping company. By 2016, the purchase was complete and systems integration was planned to occur over the coming year. What wasn’t planned was the devastating Shadowbrokers leak that hit the world in early 2017, providing attackers everywhere with the EternalBlue exploit.

By June of 2017, the Ukrainian arm of TNT Express was left crippled by a NotPetya attack that entered their networks via a bogus update from a piece of financial software called MeDoc. But this wasn’t just any cyber attack. A widespread effort by a nation state group (think: who was occupying parts of the Ukraine at this time) was underway, targeting the Ukraine and companies that do business there by leveraging the weaker defences and vulnerabilities that existed along the supply chain.

The damage done? Reported losses of $400 million in the first half of 2018. Around $1.10 of value lost per share of FedEx stock. System integration costs also increased to the tune of an additional $600 million dollars.

This attack crippled their legacy systems which made up the backbone of their infrastructure. Planes were grounded, truck routes ceased, and brand degradation occurred as their name consumed the news cycle for months in the wake of this devastating attack.

What Can Be Done?

As I’ve previously discussed, we all need to take a page out of the pilot’s notebook. Through this approach we can start adopting more comprehensive cyber-security checklists that will reduce risk surface. Much of your risk surface is considered low hanging fruit for attackers. For instance, focusing on vulnerability management, controlled use of administrative credentials, and instituting strict configuration management policies is a start. But we need to go further. The threatscape is the most fluid it’s ever been and teams must be equipped with solutions that:

Turn lights on in places that weren’t illuminated before; Think anti-collision lights and warning systems on the entire aircraft

Provide an extensible platform that allows for proactivity in defences; How much control over your systems do you have? Can it be audited?

Enable threat hunters; How rich is your data set, where does the data reside, and what threat intelligence are you using?

Give teams the ability to automate vital pieces of their workflow, allowing for more cycles to focus on what matters; Solutions working in silos help no one

Furthermore, always be asking questions. What standards are being used when vetting vendors that will handle your data, have a presence within your network, or any other link to your systems that can be used or provide a beacon?

Don’t let a compliance stamp of approval allow you to sleep easy at night while the imminent threat still persists.